Channels

Services

Many S3 buckets leak corporate data

A security researcher at Rapid 7 was looking for ways a company's documents could leak out, and found one in Amazon's S3 (Simple Storage System). Many organisations have found that using Amazon's S3 gives them easily expandable storage on Amazon's cloud and have put it to use for backup, document storage or for the backend capacity for a number of web services. This storage is organised into buckets which can be marked public or private and can be referred to using a simple URL (e.g. http://s3.amazonaws.com/bucketname or http://bucketname.s2.amazonaws.com/).

The researcher decided to build on previous research, which used a bucket finder tool which made use of just a word list to figure out bucket names and gather a wider sample. 12,328 buckets were found either using dictionaries and permutations of Fortune1000 company names and Alexa's top 100,000 sites to create the names, extracting S3 requests from HTTP traffic or using Bing's search API, with most coming from extracted S3 requests thanks to the critical.io project. Of those, 10,377 were private and 1,951 were marked as public but in those 1,951 public buckets were 126 billion files.

Although some of the S3 buckets would be correctly set to public, analysis of a 40,000 file sample from the discovered public buckets revealed much sensitive data. The researchers found sales records and account information for a car dealership, an ad company's client records for tracking click through rates, spreadsheets with personal employee information, database backups, video game source code and tools, PHP source code with usernames and passwords and sales "battlecards" for a large software vendor. There were also personal photos from a number of social media sites though this may be down to the sites using S3 to serve the images rather than retrieving them on their servers and then sending them to users, a practice which compromises the confidentiality of all their users. Around 60% of the files were images or videos.

The Rapid 7 researchers recommend that anyone who uses Amazon S3 as storage platform go and immediately check they have correctly set the access on their buckets. Amazon have a guide to the options available. According to the researchers, the Amazon AWS team has warned users about the risks and are currently putting in measures to try and proactively identify misconfiguration of buckets.